From f9be5b99add93e87804f9cbb482eb3bf59599400 Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@bsk-consulting.de>
Date: Tue, 21 Mar 2017 10:23:53 +0100
Subject: [PATCH] Rule: Suspicious task creation description changed

---
 rules/windows/sysmon/sysmon_susp_schtask_creation.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/rules/windows/sysmon/sysmon_susp_schtask_creation.yml b/rules/windows/sysmon/sysmon_susp_schtask_creation.yml
index b6bff9e29..5b255d1e4 100644
--- a/rules/windows/sysmon/sysmon_susp_schtask_creation.yml
+++ b/rules/windows/sysmon/sysmon_susp_schtask_creation.yml
@@ -1,6 +1,6 @@
 title: Scheduled Task Creation
 status: experimental
-description: "Detetcs a Powershell process that opens network connections - check for suspicious target ports and target systems - adjust to your environment (e.g. extend filters with company's ip range')"  
+description: Detects the creation of scheduled tasks in user session 
 author: Florian Roth
 logsource:
     product: windows
@@ -15,4 +15,5 @@ detection:
     condition: selection and not filter
 falsepositives:
     - Administrative activity
+    - Software installation
 level: low